[求助]DbgPrint打印UnicodeString竟然蓝屏？-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]DbgPrint打印UnicodeString竟然蓝屏？

发表于: 2009-3-13 00:31 10042

[求助]DbgPrint打印UnicodeString竟然蓝屏？

aliwy

2009-3-13 00:31

10042

一段初学代码，功能是：驱动列举进程，将进程名加入到一个链表中，通过IOCTL传递到应用层中。在虚拟机的纯净Win2000、WinXP和Win2003中运行正常，但如果在这些系统中安装了卡巴斯基，加载驱动正常，应用层和驱动交互时立即蓝屏，偶尔也不蓝屏，但传递出来的进程名却是乱码。WinDbg分析情况如下：
★★★★★★★★★★★★★★★

 
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 10000050, {fe1e3e30, 0, 80507bb6, 0}
 
Could not read faulting driver name
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for safeboxkrnl.sys
Probably caused by : irp3.sys ( irp3!MyDeviceIoControl+b4 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: [COLOR=red]fe1e3e30[/COLOR], memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: [COLOR=red]80507bb6[/COLOR], If non-zero, the instruction address which referenced the bad memory
 address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
 
Could not read faulting driver name
READ_ADDRESS:  fe1e3e30 
[COLOR=blue]FAULTING_IP: [/COLOR]
[COLOR=blue]nt!_output+909[/COLOR]
[COLOR=blue]80507bb6 668b03          mov     ax,word ptr [ebx][/COLOR]
MM_INTERNAL_CODE:  0
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0x50
PROCESS_NAME:  irp3exe.exe
LAST_CONTROL_TRANSFER:  from 804fff32 to 80507bb6
STACK_TEXT:  
f282d41c 804fff32 f282d438 f7d8792c f282d6d8 [COLOR=blue]nt!_output+0x909[/COLOR]
f282d458 80500006 f282d494 00000200 f7d8792c nt!_vsnprintf+0x2f
f282d6b0 80500093 80500096 ffffffff 00000000 nt!vDbgPrintExWithPrefix+0x91
f282d6cc f7d87a74 f7d8792c e1ea26b8 e1ea26b0 nt!DbgPrint+0x1a
f282d70c 804e47f7 febf8030 83435cf0 806f12d0 irp3!MyDeviceIoControl+0xb4 [e:\mydriver\irp\3\sys\irp3.c @ 152]
f282d71c 80568f81 83435d60 fecd5028 83435cf0 nt!IopfCallDriver+0x31
f282d730 8057ba9f febf8030 83435cf0 fecd5028 nt!IopSynchronousServiceTail+0x70
f282d7d8 8058ffe3 000007e8 00000000 00000000 nt!IopXxxControlFile+0x611
f282d80c f5b54f98 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
f282d854 f59fbb3d 000007e8 00000000 00000000 klif+0x10f98
f282dd30 804df7ec 0012feec 000007e8 00000000 safeboxkrnl+0xab3d
f282dd30 7c92e4f4 0012feec 000007e8 00000000 nt!KiFastCallEntry+0xf8
0012ff1c 00000000 00000000 00000000 00000000 0x7c92e4f4
 
STACK_COMMAND:  kb
[COLOR=blue]FOLLOWUP_IP: [/COLOR]
[COLOR=blue]irp3!MyDeviceIoControl+b4 [e:\mydriver\irp\3\sys\irp3.c @ 152][/COLOR]
[COLOR=blue]f7d87a74 83c40c          add     esp,0Ch[/COLOR]
FAULTING_SOURCE_CODE:  
   148:   }
   149:   [COLOR=red]pMyData[/COLOR] = CONTAINING_RECORD(RemoveHeadList(&ProcessListHead),
   150:          MYPROCESSDATA,
   151:          myListEntry);
[COLOR=blue]>  152:   DbgPrint("[Aliwy] %wZ(%.8X)\n", &pMyData->usImageName, pMyData);[/COLOR]
   153:   
   154:   RtlInitAnsiString(&asData, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
   155:   RtlUnicodeStringToAnsiString(&asData, &pMyData->usImageName, TRUE);
   156:   outData = (PCHAR)asData.Buffer;
   157:   outDataLen = asData.Length + 1;
 
SYMBOL_STACK_INDEX:  4
SYMBOL_NAME:  irp3!MyDeviceIoControl+b4
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: irp3
IMAGE_NAME:  irp3.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  49b52e86
FAILURE_BUCKET_ID:  0x50_irp3!MyDeviceIoControl+b4
BUCKET_ID:  0x50_irp3!MyDeviceIoControl+b4
Followup: MachineOwner
---------

★★★★★★★★★★★★★★★

代码中的pMyData被定义成全局变量。
自己分析了一下，好像是DbgPrint最终在调用_output函数时读取fe1e3e30时发生错误：

 
80507bb6 668b03          mov     ax,word ptr [ebx]        ds:0023:fe1e3e30=????

代码中的

 
DbgPrint("[Aliwy] %wZ(%.8X)\n", &pMyData->usImageName, pMyData);

如果不用%wZ打印UnicodeString，而只用%.8X打印pMyData指针地址，却又正常。
IRQL一直是在PASSIVE_LEVEL。

请大家点拨一下，下一步应该如何分析？
谢谢！！！

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#调试逆向

收藏・0

免费・0

支持

最新回复 (12)
cschenhui 雪币： 290 活跃值： (20) 能力值： ( LV3，RANK：20 ) 在线值：发帖 1 回帖 116 粉丝 0 关注私信	cschenhui 2 楼 pMyData->usImageName 本来就是一个字符串指针吧你再取地址不知道指到哪去了 2009-3-13 00:46 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 3 楼 typedef struct _MYPROCESSDATA { LIST_ENTRY myListEntry; UNICODE_STRING usImageName; //线程名称 } MYPROCESSDATA, *PMYPROCESSDATA; PMYPROCESSDATA pMyData; //全局变量 LIST_ENTRY ProcessListHead; //进程链表头 2009-3-13 01:15 0
kingcom 雪币： 193 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 107 粉丝 0 关注私信	kingcom 4 楼不懂驱动，不过碰到这种情况的话，我会立刻看一下是不是打印进程名的时候溢出了按照pMyData->usImageName里面的长度自己手动输出一下看结果如何。 2009-3-13 09:34 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 5 楼没有溢出，我看过了。 2009-3-13 10:03 0
suisuisui 雪币： 229 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 37 粉丝 0 关注私信	suisuisui 6 楼是否没有初始化UNICODE_STRING usImageName？如果初始化了，动态调试，看UNICODE_STRING usImageName是否正常 2009-3-13 10:09 0
NaX 雪币： 218 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 151 粉丝 0 关注私信	NaX 7 楼首先如果你的进程名称是从EPROCESS取得，那么它是Ansi而不是宽字符。第二，DbgPrint不能传入UNICODE结构，而应该传入宽字符指针。 2009-3-13 10:36 0
kingcom 雪币： 193 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 107 粉丝 0 关注私信	kingcom 8 楼如果能确定参数完全正确，一点问题都没有的话，msdn还有这样的解释： DbgPrint In Microsoft Windows Server 2003 and earlier versions of Windows, the DbgPrint routine sends a message to the kernel debugger. In Windows Vista and later versions of Windows, DbgPrint sends a message only if certain conditions apply. ULONG DbgPrint( IN PCHAR Format, . . . . [arguments] );Parameters Format Specifies a pointer to the format string to print. The Format string supports all the printf-style formatting codes. However, the Unicode format codes (%C, %S, %lc, %ls, %wc, %ws, and %wZ) can only be used with IRQL = PASSIVE_LEVEL. arguments Specifies arguments for the format string, as in printf. 不知道是不是这儿的问题？ 2009-3-13 10:54 0
better 雪币： 331 活跃值： (57) 能力值： ( LV7，RANK：100 ) 在线值：发帖 33 回帖 324 粉丝 3 关注私信	better 2 9 楼全局变量在可丢弃内存就可能发生概率性蓝屏，我一般不用INIT节 2009-3-13 11:45 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 10 楼只要退出卡巴就一切正常。开着卡巴，偶尔也正常，或者乱码，再或者就蓝屏。 2009-3-13 15:29 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 11 楼但有时候必须要用到全局变量，怎么办呢？ 2009-3-13 15:29 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 12 楼今天在本机测试，又一次蓝。 ******************************************************************************* * * * Bugcheck Analysis * * * ***************************************************************************** Use !analyze -v to get detailed debugging information. BugCheck D5, {8b362f80, 0, bae62933, 0} Page 18594 not present in the dump file. Type ".hh dbgerr004" for details * ERROR: Module load completed but symbols could not be loaded for klif.sys * ERROR: Module load completed but symbols could not be loaded for safeboxkrnl.sys PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details Probably caused by : klif.sys Followup: MachineOwner --------- 1: kd> !analyze -v ***************************************************************************** * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5) Memory was referenced after it was freed. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: 8b362f80, memory referenced Arg2: 00000000, value 0 = read operation, 1 = write operation Arg3: bae62933, if non-zero, the address which referenced memory. Arg4: 00000000, (reserved) Debugging Details: ------------------ Page 18594 not present in the dump file. Type ".hh dbgerr004" for details PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details READ_ADDRESS: 8b362f80 Special pool FAULTING_IP: irp3!MyDeviceIoControl+1a3 [f:\mydrivers\irp\3\sys\irp3.c @ 179] bae62933 8b4218 mov eax,dword ptr [edx+18h] MM_INTERNAL_CODE: 0 IMAGE_NAME: klif.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4981a9d4 MODULE_NAME: klif FAULTING_MODULE: bae62000 irp3 DEFAULT_BUCKET_ID: CODE_CORRUPTION BUGCHECK_STR: 0xD5 PROCESS_NAME: irp3exe.exe TRAP_FRAME: ba0965d8 -- (.trap 0xffffffffba0965d8) ErrCode = 00000000 eax=e31692a8 ebx=8b362f00 ecx=6c350006 edx=8b362f68 esi=8a229730 edi=87fb25e0 eip=bae62933 esp=ba09664c ebp=ba0966f4 iopl=0 nv up ei pl zr na pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010247 irp3!MyDeviceIoControl+0x1a3: bae62933 8b4218 mov eax,dword ptr [edx+18h] ds:0023:8b362f80=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 8052137a to 804faf43 STACK_TEXT: ba096558 8052137a 00000050 8b362f80 00000000 nt!KeBugCheckEx+0x1b ba0965c0 80545588 00000000 8b362f80 00000000 nt!MmAccessFault+0x9a8 ba0965c0 bae62933 00000000 8b362f80 00000000 nt!KiTrap0E+0xd0 ba0966f4 804f019f 87fb25e0 8b362f68 806e7428 irp3!MyDeviceIoControl+0x1a3 [f:\mydrivers\irp\3\sys\irp3.c @ 179] ba096704 80659128 880163f8 806e7410 8b362f68 nt!IopfCallDriver+0x31 ba096728 80580982 8b362fd8 880163f8 8b362f68 nt!IovCallDriver+0xa0 ba09673c 805817f7 87fb25e0 8b362f68 880163f8 nt!IopSynchronousServiceTail+0x70 ba0967d8 8057a274 000007e8 00000000 00000000 nt!IopXxxControlFile+0x5c5 ba09680c b7183830 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a WARNING: Stack unwind information not available. Following frames may be wrong. ba096854 b7049eb7 000007e8 00000000 00000000 klif+0x10830 ba096d30 8054262c 0012feec 000007e8 00000000 safeboxkrnl+0xaeb7 ba096d30 7c92e4f4 0012feec 000007e8 00000000 nt!KiFastCallEntry+0xfc 0012ff1c 00000000 00000000 00000000 00000000 0x7c92e4f4 STACK_COMMAND: kb CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt 804ebf84-804ebf88 5 bytes - nt!FsRtlCheckLockForReadAccess [ 8b ff 55 8b ec:e9 5f c2 ca 36 ] 804f0912-804f0916 5 bytes - nt!IoIsOperationSynchronous (+0x498e) [ 8b ff 55 8b ec:e9 8b 7c ca 36 ] 8050548c-8050548f 4 bytes - nt!KiServiceTable+2c (+0x14b7a) [ 3e cb 5e 80:72 1a 18 b7 ] 805054c4-805054c7 4 bytes - nt!KiServiceTable+64 (+0x38) [ f8 d4 5b 80:1e 20 18 b7 ] 805054dc-805054df 4 bytes - nt!KiServiceTable+7c (+0x18) [ b4 55 5a 80:82 3a 18 b7 ] 805054f4-805054f7 4 bytes - nt!KiServiceTable+94 (+0x18) [ 84 a0 57 80:38 34 18 b7 ] 80505504-80505507 4 bytes - nt!KiServiceTable+a4 (+0x10) [ 92 47 62 80:e8 11 18 b7 ] 80505530-80505537 8 bytes - nt!KiServiceTable+d0 (+0x2c) [ c2 49 5c 80 e0 1f 5d 80:e4 53 18 b7 1a 1e 18 b7 ] 8050555c-8050555f 4 bytes - nt!KiServiceTable+fc (+0x2c) [ 22 4c 62 80:2a 16 18 b7 ] 80505564-8050556b 8 bytes - nt!KiServiceTable+104 (+0x08) [ f2 4d 62 80 4a a2 57 80:2a 18 18 b7 44 37 18 b7 ] 80505570-80505573 4 bytes - nt!KiServiceTable+110 (+0x0c) [ d0 ef 5b 80:f0 58 18 b7 ] 8050557c-8050557f 4 bytes - nt!KiServiceTable+11c (+0x0c) [ d2 4f 62 80:40 19 18 b7 ] 80505584-80505587 4 bytes - nt!KiServiceTable+124 (+0x08) [ 3c 52 62 80:a8 19 18 b7 ] 805055b0-805055b3 4 bytes - nt!KiServiceTable+150 (+0x2c) [ 7e a2 57 80:fa 35 18 b7 ] 805055e4-805055e7 4 bytes - nt!KiServiceTable+184 (+0x34) [ 3a 51 58 80:a8 4e 18 b7 ] 80505630-80505633 4 bytes - nt!KiServiceTable+1d0 (+0x4c) [ 82 b1 57 80:94 32 18 b7 ] 8050563c-8050563f 4 bytes - nt!KiServiceTable+1dc (+0x0c) [ 64 5b 62 80:4a 13 18 b7 ] 80505648-8050564b 4 bytes - nt!KiServiceTable+1e8 (+0x0c) [ 08 c4 5c 80:40 1c 18 b7 ] 80505654-80505657 4 bytes - nt!KiServiceTable+1f4 (+0x0c) [ d2 b3 5a 80:0e 54 18 b7 ] 80505660-80505663 4 bytes - nt!KiServiceTable+200 (+0x0c) [ 94 c6 5c 80:96 1b 18 b7 ] 805056e0-805056e7 8 bytes - nt!KiServiceTable+280 (+0x80) [ 8a 5e 62 80 e0 38 62 80:10 1a 18 b7 14 17 18 b7 ] 80505724-80505727 4 bytes - nt!KiServiceTable+2c4 (+0x44) [ ca 29 62 80:f2 14 18 b7 ] 80505730-80505733 4 bytes - nt!KiServiceTable+2d0 (+0x0c) [ 3e 22 5d 80:10 51 18 b7 ] 80505764-80505767 4 bytes - nt!KiServiceTable+304 (+0x34) [ 3e 68 62 80:6a 0e 18 b7 ] 80505780-80505783 4 bytes - nt!KiServiceTable+320 (+0x1c) [ 5a 3d 5a 80:0c 43 18 b7 ] 80505790-80505793 4 bytes - nt!KiServiceTable+330 (+0x10) [ 4a 61 62 80:cc 0f 18 b7 ] 80505798-8050579f 8 bytes - nt!KiServiceTable+338 (+0x08) [ 82 59 5d 80 46 62 62 80:c0 57 18 b7 68 0c 18 b7 ] 805057a8-805057ab 4 bytes - nt!KiServiceTable+348 (+0x10) [ 48 4d 5a 80:24 39 18 b7 ] 805057b4-805057b7 4 bytes - nt!KiServiceTable+354 (+0x0c) [ 02 27 5d 80:18 1f 18 b7 ] 80505814-80505817 4 bytes - nt!KiServiceTable+3b4 (+0x60) [ f6 15 5c 80:a2 4f 18 b7 ] 80505820-80505823 4 bytes - nt!KiServiceTable+3c0 (+0x0c) [ c6 03 61 80:38 54 18 b7 ] 8050583c-8050583f 4 bytes - nt!KiServiceTable+3dc (+0x1c) [ 18 2d 62 80:a0 13 18 b7 ] 80505854-8050585f 12 bytes - nt!KiServiceTable+3f4 (+0x18) [ 4a 5a 5d 80 bc 58 5d 80:1c 55 18 b7 48 56 18 b7 ] 80505864-80505867 4 bytes - nt!KiServiceTable+404 (+0x10) [ aa 39 5d 80:ea 1c 18 b7 ] 805058b4-805058b7 4 bytes - nt!KiServiceTable+454 (+0x50) [ 94 53 5b 80:5c 1d 18 b7 ] 80532ecc-80532ed1 6 bytes - nt!DebugPrint (+0x2d618) [ 8b ff 55 8b ec ff:ff 25 8c dd b4 b6 ] 80542615-80542619 5 bytes - nt!KiFastCallEntry+e5 (+0xf749) [ 2b e1 c1 e9 02:e9 b2 d3 b0 36 ] 8054261e-80542621 4 bytes - nt!KiFastCallEntry+ee (+0x09) [ 34 31 56 80:f4 cc 05 b7 ] 805455c6-805455c9 4 bytes - nt!KiTrap0E+10e (+0x2fa8) [ 28 26 54 80:0d fa 04 b7 ] 805a2cb2-805a2cb8 7 bytes - nt!KeUserModeCallback [ 6a 30 68 08 aa 4d 80:e9 21 15 aa 36 90 90 ] 192 errors : !nt (804ebf84-805a2cb8) FOLLOWUP_NAME: MachineOwner MEMORY_CORRUPTOR: PATCH_klif FAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_klif BUCKET_ID: MEMORY_CORRUPTION_PATCH_klif Followup: MachineOwner --------- 2009-3-13 16:20 0
leemichael 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 28 回帖 67 粉丝 0 关注私信	leemichael 13 楼我也遇到这样的问题了,**,大家来帮帮忙啊 2009-4-7 10:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

aliwy

发帖

140

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (12)
cschenhui 雪币： 290 活跃值： (20) 能力值： ( LV3，RANK：20 ) 在线值：发帖 1 回帖 116 粉丝 0 关注私信	cschenhui 2 楼 pMyData->usImageName 本来就是一个字符串指针吧你再取地址不知道指到哪去了 2009-3-13 00:46 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 3 楼 typedef struct _MYPROCESSDATA { LIST_ENTRY myListEntry; UNICODE_STRING usImageName; //线程名称 } MYPROCESSDATA, *PMYPROCESSDATA; PMYPROCESSDATA pMyData; //全局变量 LIST_ENTRY ProcessListHead; //进程链表头 2009-3-13 01:15 0
kingcom 雪币： 193 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 107 粉丝 0 关注私信	kingcom 4 楼不懂驱动，不过碰到这种情况的话，我会立刻看一下是不是打印进程名的时候溢出了按照pMyData->usImageName里面的长度自己手动输出一下看结果如何。 2009-3-13 09:34 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 5 楼没有溢出，我看过了。 2009-3-13 10:03 0
suisuisui 雪币： 229 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 37 粉丝 0 关注私信	suisuisui 6 楼是否没有初始化UNICODE_STRING usImageName？如果初始化了，动态调试，看UNICODE_STRING usImageName是否正常 2009-3-13 10:09 0
NaX 雪币： 218 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 151 粉丝 0 关注私信	NaX 7 楼首先如果你的进程名称是从EPROCESS取得，那么它是Ansi而不是宽字符。第二，DbgPrint不能传入UNICODE结构，而应该传入宽字符指针。 2009-3-13 10:36 0
kingcom 雪币： 193 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 107 粉丝 0 关注私信	kingcom 8 楼如果能确定参数完全正确，一点问题都没有的话，msdn还有这样的解释： DbgPrint In Microsoft Windows Server 2003 and earlier versions of Windows, the DbgPrint routine sends a message to the kernel debugger. In Windows Vista and later versions of Windows, DbgPrint sends a message only if certain conditions apply. ULONG DbgPrint( IN PCHAR Format, . . . . [arguments] );Parameters Format Specifies a pointer to the format string to print. The Format string supports all the printf-style formatting codes. However, the Unicode format codes (%C, %S, %lc, %ls, %wc, %ws, and %wZ) can only be used with IRQL = PASSIVE_LEVEL. arguments Specifies arguments for the format string, as in printf. 不知道是不是这儿的问题？ 2009-3-13 10:54 0
better 雪币： 331 活跃值： (57) 能力值： ( LV7，RANK：100 ) 在线值：发帖 33 回帖 324 粉丝 3 关注私信	better 2 9 楼全局变量在可丢弃内存就可能发生概率性蓝屏，我一般不用INIT节 2009-3-13 11:45 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 10 楼只要退出卡巴就一切正常。开着卡巴，偶尔也正常，或者乱码，再或者就蓝屏。 2009-3-13 15:29 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 11 楼但有时候必须要用到全局变量，怎么办呢？ 2009-3-13 15:29 0
aliwy 雪币： 26 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 140 粉丝 0 关注私信	aliwy 12 楼今天在本机测试，又一次蓝。 ******************************************************************************* * * * Bugcheck Analysis * * * ***************************************************************************** Use !analyze -v to get detailed debugging information. BugCheck D5, {8b362f80, 0, bae62933, 0} Page 18594 not present in the dump file. Type ".hh dbgerr004" for details * ERROR: Module load completed but symbols could not be loaded for klif.sys * ERROR: Module load completed but symbols could not be loaded for safeboxkrnl.sys PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details Probably caused by : klif.sys Followup: MachineOwner --------- 1: kd> !analyze -v ***************************************************************************** * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5) Memory was referenced after it was freed. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: 8b362f80, memory referenced Arg2: 00000000, value 0 = read operation, 1 = write operation Arg3: bae62933, if non-zero, the address which referenced memory. Arg4: 00000000, (reserved) Debugging Details: ------------------ Page 18594 not present in the dump file. Type ".hh dbgerr004" for details PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details READ_ADDRESS: 8b362f80 Special pool FAULTING_IP: irp3!MyDeviceIoControl+1a3 [f:\mydrivers\irp\3\sys\irp3.c @ 179] bae62933 8b4218 mov eax,dword ptr [edx+18h] MM_INTERNAL_CODE: 0 IMAGE_NAME: klif.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4981a9d4 MODULE_NAME: klif FAULTING_MODULE: bae62000 irp3 DEFAULT_BUCKET_ID: CODE_CORRUPTION BUGCHECK_STR: 0xD5 PROCESS_NAME: irp3exe.exe TRAP_FRAME: ba0965d8 -- (.trap 0xffffffffba0965d8) ErrCode = 00000000 eax=e31692a8 ebx=8b362f00 ecx=6c350006 edx=8b362f68 esi=8a229730 edi=87fb25e0 eip=bae62933 esp=ba09664c ebp=ba0966f4 iopl=0 nv up ei pl zr na pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010247 irp3!MyDeviceIoControl+0x1a3: bae62933 8b4218 mov eax,dword ptr [edx+18h] ds:0023:8b362f80=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 8052137a to 804faf43 STACK_TEXT: ba096558 8052137a 00000050 8b362f80 00000000 nt!KeBugCheckEx+0x1b ba0965c0 80545588 00000000 8b362f80 00000000 nt!MmAccessFault+0x9a8 ba0965c0 bae62933 00000000 8b362f80 00000000 nt!KiTrap0E+0xd0 ba0966f4 804f019f 87fb25e0 8b362f68 806e7428 irp3!MyDeviceIoControl+0x1a3 [f:\mydrivers\irp\3\sys\irp3.c @ 179] ba096704 80659128 880163f8 806e7410 8b362f68 nt!IopfCallDriver+0x31 ba096728 80580982 8b362fd8 880163f8 8b362f68 nt!IovCallDriver+0xa0 ba09673c 805817f7 87fb25e0 8b362f68 880163f8 nt!IopSynchronousServiceTail+0x70 ba0967d8 8057a274 000007e8 00000000 00000000 nt!IopXxxControlFile+0x5c5 ba09680c b7183830 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a WARNING: Stack unwind information not available. Following frames may be wrong. ba096854 b7049eb7 000007e8 00000000 00000000 klif+0x10830 ba096d30 8054262c 0012feec 000007e8 00000000 safeboxkrnl+0xaeb7 ba096d30 7c92e4f4 0012feec 000007e8 00000000 nt!KiFastCallEntry+0xfc 0012ff1c 00000000 00000000 00000000 00000000 0x7c92e4f4 STACK_COMMAND: kb CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt 804ebf84-804ebf88 5 bytes - nt!FsRtlCheckLockForReadAccess [ 8b ff 55 8b ec:e9 5f c2 ca 36 ] 804f0912-804f0916 5 bytes - nt!IoIsOperationSynchronous (+0x498e) [ 8b ff 55 8b ec:e9 8b 7c ca 36 ] 8050548c-8050548f 4 bytes - nt!KiServiceTable+2c (+0x14b7a) [ 3e cb 5e 80:72 1a 18 b7 ] 805054c4-805054c7 4 bytes - nt!KiServiceTable+64 (+0x38) [ f8 d4 5b 80:1e 20 18 b7 ] 805054dc-805054df 4 bytes - nt!KiServiceTable+7c (+0x18) [ b4 55 5a 80:82 3a 18 b7 ] 805054f4-805054f7 4 bytes - nt!KiServiceTable+94 (+0x18) [ 84 a0 57 80:38 34 18 b7 ] 80505504-80505507 4 bytes - nt!KiServiceTable+a4 (+0x10) [ 92 47 62 80:e8 11 18 b7 ] 80505530-80505537 8 bytes - nt!KiServiceTable+d0 (+0x2c) [ c2 49 5c 80 e0 1f 5d 80:e4 53 18 b7 1a 1e 18 b7 ] 8050555c-8050555f 4 bytes - nt!KiServiceTable+fc (+0x2c) [ 22 4c 62 80:2a 16 18 b7 ] 80505564-8050556b 8 bytes - nt!KiServiceTable+104 (+0x08) [ f2 4d 62 80 4a a2 57 80:2a 18 18 b7 44 37 18 b7 ] 80505570-80505573 4 bytes - nt!KiServiceTable+110 (+0x0c) [ d0 ef 5b 80:f0 58 18 b7 ] 8050557c-8050557f 4 bytes - nt!KiServiceTable+11c (+0x0c) [ d2 4f 62 80:40 19 18 b7 ] 80505584-80505587 4 bytes - nt!KiServiceTable+124 (+0x08) [ 3c 52 62 80:a8 19 18 b7 ] 805055b0-805055b3 4 bytes - nt!KiServiceTable+150 (+0x2c) [ 7e a2 57 80:fa 35 18 b7 ] 805055e4-805055e7 4 bytes - nt!KiServiceTable+184 (+0x34) [ 3a 51 58 80:a8 4e 18 b7 ] 80505630-80505633 4 bytes - nt!KiServiceTable+1d0 (+0x4c) [ 82 b1 57 80:94 32 18 b7 ] 8050563c-8050563f 4 bytes - nt!KiServiceTable+1dc (+0x0c) [ 64 5b 62 80:4a 13 18 b7 ] 80505648-8050564b 4 bytes - nt!KiServiceTable+1e8 (+0x0c) [ 08 c4 5c 80:40 1c 18 b7 ] 80505654-80505657 4 bytes - nt!KiServiceTable+1f4 (+0x0c) [ d2 b3 5a 80:0e 54 18 b7 ] 80505660-80505663 4 bytes - nt!KiServiceTable+200 (+0x0c) [ 94 c6 5c 80:96 1b 18 b7 ] 805056e0-805056e7 8 bytes - nt!KiServiceTable+280 (+0x80) [ 8a 5e 62 80 e0 38 62 80:10 1a 18 b7 14 17 18 b7 ] 80505724-80505727 4 bytes - nt!KiServiceTable+2c4 (+0x44) [ ca 29 62 80:f2 14 18 b7 ] 80505730-80505733 4 bytes - nt!KiServiceTable+2d0 (+0x0c) [ 3e 22 5d 80:10 51 18 b7 ] 80505764-80505767 4 bytes - nt!KiServiceTable+304 (+0x34) [ 3e 68 62 80:6a 0e 18 b7 ] 80505780-80505783 4 bytes - nt!KiServiceTable+320 (+0x1c) [ 5a 3d 5a 80:0c 43 18 b7 ] 80505790-80505793 4 bytes - nt!KiServiceTable+330 (+0x10) [ 4a 61 62 80:cc 0f 18 b7 ] 80505798-8050579f 8 bytes - nt!KiServiceTable+338 (+0x08) [ 82 59 5d 80 46 62 62 80:c0 57 18 b7 68 0c 18 b7 ] 805057a8-805057ab 4 bytes - nt!KiServiceTable+348 (+0x10) [ 48 4d 5a 80:24 39 18 b7 ] 805057b4-805057b7 4 bytes - nt!KiServiceTable+354 (+0x0c) [ 02 27 5d 80:18 1f 18 b7 ] 80505814-80505817 4 bytes - nt!KiServiceTable+3b4 (+0x60) [ f6 15 5c 80:a2 4f 18 b7 ] 80505820-80505823 4 bytes - nt!KiServiceTable+3c0 (+0x0c) [ c6 03 61 80:38 54 18 b7 ] 8050583c-8050583f 4 bytes - nt!KiServiceTable+3dc (+0x1c) [ 18 2d 62 80:a0 13 18 b7 ] 80505854-8050585f 12 bytes - nt!KiServiceTable+3f4 (+0x18) [ 4a 5a 5d 80 bc 58 5d 80:1c 55 18 b7 48 56 18 b7 ] 80505864-80505867 4 bytes - nt!KiServiceTable+404 (+0x10) [ aa 39 5d 80:ea 1c 18 b7 ] 805058b4-805058b7 4 bytes - nt!KiServiceTable+454 (+0x50) [ 94 53 5b 80:5c 1d 18 b7 ] 80532ecc-80532ed1 6 bytes - nt!DebugPrint (+0x2d618) [ 8b ff 55 8b ec ff:ff 25 8c dd b4 b6 ] 80542615-80542619 5 bytes - nt!KiFastCallEntry+e5 (+0xf749) [ 2b e1 c1 e9 02:e9 b2 d3 b0 36 ] 8054261e-80542621 4 bytes - nt!KiFastCallEntry+ee (+0x09) [ 34 31 56 80:f4 cc 05 b7 ] 805455c6-805455c9 4 bytes - nt!KiTrap0E+10e (+0x2fa8) [ 28 26 54 80:0d fa 04 b7 ] 805a2cb2-805a2cb8 7 bytes - nt!KeUserModeCallback [ 6a 30 68 08 aa 4d 80:e9 21 15 aa 36 90 90 ] 192 errors : !nt (804ebf84-805a2cb8) FOLLOWUP_NAME: MachineOwner MEMORY_CORRUPTOR: PATCH_klif FAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_klif BUCKET_ID: MEMORY_CORRUPTION_PATCH_klif Followup: MachineOwner --------- 2009-3-13 16:20 0
leemichael 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 28 回帖 67 粉丝 0 关注私信	leemichael 13 楼我也遇到这样的问题了,**,大家来帮帮忙啊 2009-4-7 10:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复